Date: Thu, 7 Dec 2000 14:35:05 -0500 From: Frederik Lindberg <fred@CHEETAHMAIL.COM> Subject: ezmlm-cgi/ezmlm-idx-0.40 security advisory To: BUGTRAQ@SECURITYFOCUS.COM Summary: ezmlm-cgi is part of the ezmlm-idx-0.40.tar.gz package and allows web access to mailing list archives. When ezmlm-cgi is installed SUID (user other than root), it can be used to execute arbitrary commands with the effective uid of the SUID user. Scope: Default installations of ezmlm-idx-0.40 are not vulnerable since ezmlm-cgi is not installed SUID by default. SUID root installations are not vulnerable since ezmlm-cgi uses a fixed configuration file location and drops privileges in this execution mode. SUID user (user != root) installations are discussed in the man page, but should be rare. Their vulnerability depends on group and world execute permissions of the ezmlm-cgi binary. Credit: Thanks vortfu (vort@wiretapped.net) for reporting this. I sincerely apologize for my initial somewhat obnoxious follow-up post. ezmlm-idx-0.40 is an add-on to Dan Bernstein's ezmlm-0.53 package. The responsibility for this flaw is entirely mine (Dan would never make a mistake like this). Details: ezmlm-cgi can be installed by a user to allow web access to that user's mailing list archives. It reads a config file from the working directory. The config file can contain a banner program name. This program is executed by ezmlm-cgi. ezmlm-cgi can be installed SUID root. In this case, ezmlm-cgi reads a config file from /etc, chdir/chroot to the list directory, drops root privileges, verifies this, then optionally executes a banner program. When installed SUID user != root, ezmlm-cgi behaves just as for normal installs. A user with execute permissions to the ezmlm-cgi binary can create his own config file directing ezmlm-cgi to execute an arbitrary program with the effective user id of the ezmlm-cgi binary. Fix: A patched version of ezmlm-cgi.c, ezmlm-cgi.1 (man page), as well as the patch (ezmlm-cgi.patch) are available from ftp://ftp.ezmlm.org/pub/patches/ and http://www.ezmlm.org/pub/patches/. This version removes the support for the execution of banner programs. HTML banners are still supported. The (small) patch can also be found below. Alternatively, assure that you have not installed ezmlm-cgi SUID user. Sincerely, Fred Lindberg -- --- ezmlm-cgi.c.orig Thu Dec 7 13:26:45 2000 +++ ezmlm-cgi.c Thu Dec 7 13:36:30 2000 @@ -805,31 +805,8 @@ if ((flagspecial & SPC_BANNER) && banner && *banner) { oputs("<DIV class=banner>\n"); if (*banner == '<') oputs(banner); - else { - substdio_flush(&ssout); - sig_pipeignore(); - bannerargs[0] = banner; - bannerargs[1] = host; - bannerargs[2] = local; - bannerargs[3] = 0; - /* We log errors but just complete the page anyway, since we're */ - /* already committed to output something. */ - switch(child = fork()) { - case -1: - strerr_warn3(FATAL,ERR_FORK,"banner program: ",&strerr_sys); - break; - case 0: - execv(*bannerargs,bannerargs); - strerr_die3x(100,FATAL,ERR_EXECUTE,"banner program: "); - break; - } - /* parent */ - wait_pid(&wstat,child); - if (wait_crashed(wstat)) - strerr_warn2(FATAL,ERR_CHILD_CRASHED,(struct strerr *) 0); - if (wait_exitcode(wstat)) - strerr_warn2(FATAL,ERR_CHILD_UNKNOWN,(struct strerr *) 0); - } + else + strerr_die2x(100,FATAL,"Sorry - banner programs not supported"); oputs("</DIV>\n"); } oputs("</BODY>\n\n"); --- ezmlm-cgi.1.orig Thu Dec 7 13:40:43 2000 +++ ezmlm-cgi.1 Thu Dec 7 13:56:44 2000 @@ -234,16 +234,21 @@ to avoid trapping robots in the archive. .SH EXECUTION .B ezmlm-cgi -can operate in three modes, -.IR SUID\ root , -.IR SUID\ user , +can operate in two modes, +.I SUID\ root and .IR normal . +.B ezmlm-cgi +should not be installed SUID +.I user +other than root. +Please see the +.B SECURITY +section before installing SUID +.IR root . In .I normal -and -.I SUID user mode, .B ezmlm-cgi will read the configuration file @@ -255,9 +260,7 @@ .B ezmlm-cgi is in), then change directory to the list directory. ``uid'' is ignored. -.I SUID user -may be required to read the particular archive if it is not owned by the -httpd user. For user installations or systems where +For user installations or systems where the httpd user has access to all the lists, .I normal mode usually gives sufficient access. @@ -277,22 +280,10 @@ directory is not, it is safest to leave ``uid'' blank. The httpd user will still be able to read the files. .SH "EXECUTION OF BANNER PROGRAMS" -A banner program can be specified in the config file. It is executed -immediately before the end of the text. The formatting for -``<BODY>'' is active and the banner program output is encapsulated in -a ``<DIV class=banner>'' segment to allow additional formatting. -The banner program is called for all summary views, but not for the message -view itself. - -The banner program is give the list local name as argument 1, and the host -name as argument 2. It is expected to exit 0 on success. The return code is -checked, but the archive page (and whatever the banner program has already -produced) is output even if the banner program fails. - -.B chroot(3) -may make it difficult to run banner programs that depend on e.g. ``sh'' -or ``perl''. For this reason, the chroot call can be suppressed by prefixing -the ``uid'' with a ``-''. +.B ezmlm-cgi +supports display of banners, but not execution of banner programs. To +obtain dynamic banners, use a URL that points to a banner program elsewhere. + .SH SECURITY .B ezmlm-cgi will refuse to run as root. @@ -308,14 +299,8 @@ list directories and archives). .B ezmlm-cgi -will allow execution of banner programs that are located outside of the list -directory. These are executed with the privileges of the userid set in the -config file. If the program is installed SUID root, banner programs outside -of the list directory are not normally accessible. Even when this is overridden, -.B ezmlm-cgi -will never execute the program with root permissions. +will not allow execution of banner programs. -Input to the CGI script is not propagated to the banner program. .SH BUGS .B ezmlm-send(1) updates the list message counter once a message is safely archived, but -- Sincerely, Fred Frederik Lindberg, CTO, CheetahMail